Cloudflare's incredible solution for IoT security: Use our services

And, oh for $DEITY's sake, yet ANOTHER best-practices standards organization?


Traffic bouncer Cloudflare has outlined what it claims is the solution to the perennial internet-of-things security problem: pay it.

The company points out what most security experts have been saying for some time: IoT devices are a security disaster, they are going to grow exponentially, and when people can't even be relied on to update their browsers, having billions of unpatched internet-connected devices is a disaster waiting to happen.

And so Cloudflare has come up with its solution: route everything through us.

This does not come as a huge surprise. The company does tend to offer the same solution to every online problem: Distributed denial of service (DDoS) attack? Route your traffic through us. Man-in-the-middle attack? Pay us to deal with your data. Too many spam comments? We have a paid service for that. Need encryption? Guess what?

But that doesn't mean that the company's new Orbit service is a bad idea. In fact, it may very well be a good or even great idea given the state of the current system for securing online devices.

The basic idea is quite simple: in the same way website owners pay Cloudflare to sit in between them and their visitors, IoT manufacturers will pay for the Orbit service to sit between their devices and the public internet.

The manufacturers will configure their devices to only go through Orbit, which gives them (or, most accurately, Cloudflare) the ability to not only shield tech-ignorant consumers from hacking efforts, but also apply virtual security patches across all of its devices at once.

Open-ish

Although this is far from ideal since it introduces a proprietary layer to the open internet, the reality is that it could be a lifesaver for IoT companies, which have persistently shown themselves incapable of carrying out decent security audits on their products and continue to make basic errors, like hard-coding passwords.

And, to be fair to Cloudflare, the company has shown itself to be very capable of handling huge amounts of traffic without lag or collapse.

The million-dollar-question of course is: how much does it cost? Cloudflare told us that the fee was based on the number of devices and the bandwidth required but wouldn't provide an exact figure.

If the cost is $10 a year per device and an IoT company can offer the extra security as part of a premium package – alongside cloud recording or similar – then it is probably a great deal.

But if the idea is that it will be supplied for free to customers who buy the product and don't sign up to an ongoing service fee, then the price is going to have to be much, much lower for there to be any kind of significant take-up.

Of course, the biggest security risk comes from companies offering low-price IoT items that don't require ongoing fees. So while Cloudflare's new service may help improve mid- to high-end IoT products' security, the huge risks from the low-end are unlikely go away. So expect plenty more DDoS attacks from zombie webcams.

And then there is the fact that if lots of IoT manufacturers chose to use this service, it would make Cloudflare a single point-of-failure and hence a huge target for hackers. And Cloudflare, like any company using software, is not immune to bugs. Bugs that can provide an enormous wealth of information.

Oh please god no, not another one

One thing we do have to pick on Cloudflare for, however: in the official notice of the new service, the company notes that it is "introducing the industry's first IoT alliance – made up of a group of IoT companies and experts in the field – that will be committed to forming best practices and standards for protecting connected devices and ensuring the resilience of the Internet of Things."

Far from this being the "industry's first IoT alliance," this effort will only add yet more overhead and confusion to a massively overpopulated world of internet-of-things alliances, consortiums, organizations, groups, working groups, feuding government departments, security experts pushing for laws, legislators and consumer agencies pretending not to hear, and god knows what else.

Below is a partial list of the people working on IoT security and best practices. We wonder why on earth Cloudflare thinks it's a good idea to add yet another one to the list. ®

That barren landscape of Internet of Things standards bodies


Other stories you might like

  • Cisco EVP: We need to lift everyone above the cybersecurity poverty line
    It's going to become a human-rights issue, Jeetu Patel tells The Register

    RSA Conference Exclusive Establishing some level of cybersecurity measures across all organizations will soon reach human-rights issue status, according to Jeetu Patel, Cisco EVP for security and collaboration.

    "It's our civic duty to ensure that everyone below the security poverty line has a level of safety, because it's gonna eventually get to be a human-rights issue," Patel told The Register, in an exclusive interview ahead of his RSA Conference keynote. 

    "This is critical infrastructure — financial services, health care, transportation — services like your water supply, your power grid, all of those things can stop in an instant if there's a breach," he said. 

    Continue reading
  • Microsoft fixes under-attack Windows zero-day Follina
    Plus: Intel, AMD react to Hertzbleed data-leaking holes in CPUs

    Patch Tuesday Microsoft claims to have finally fixed the Follina zero-day flaw in Windows as part of its June Patch Tuesday batch, which included security updates to address 55 vulnerabilities.

    Follina, eventually acknowledged by Redmond in a security advisory last month, is the most significant of the bunch as it has already been exploited in the wild.

    Criminals and snoops can abuse the remote code execution (RCE) bug, tracked as CVE-2022-30190, by crafting a file, such as a Word document, so that when opened it calls out to the Microsoft Windows Support Diagnostic Tool, which is then exploited to run malicious code, such spyware and ransomware. Disabling macros in, say, Word won't stop this from happening.

    Continue reading
  • Inside the RSAC expo: Buzzword bingo and the bear in the room
    We mingle with the vendors so you don't have to

    RSA Conference Your humble vulture never liked conference expos – even before finding myself on the show floor during a global pandemic. Expo halls are a necessary evil that are predominatly visited to find gifts to bring home to the kids. 

    Do organizations really choose security vendors based on a booth? The whole expo hall idea seems like an outdated business model – for the vendors, anyway. Although the same argument could be made for conferences in general.

    For the most part, all of the executives and security researchers set up shop offsite – either in swanky hotels and shared office space (for the big-wigs) or at charming outdoor chess tables in Yerba Buena Gardens. Many of them said they avoided the expo altogether.

    Continue reading

Biting the hand that feeds IT © 1998–2022